Yes, Cisco had every right to sue, but sometimes it's best to just lay low. Whether you're a politician, celebrity or technology vendor, there's no surer way to call mass attention to the sensitive subject you're trying to downplay than to declare the public isn't entitled to know anything more about it. If you're Cisco, you certainly don't threaten a 24-year-old researcher and the organizers of a conference whose attendees already are cynical of authority. The fiercely independent infosec community doesn't take kindly to being pushed around, as evidenced by the ovation Lynn received at Black Hat. If Cisco had just left the lad alone, his 15 minutes would have amounted to a nanosecond and few people today would be talking about security vulnerabilities in Cisco networking gear.
Cisco says that it disclosed the IOS vulnerability and issued a patch in April--that Lynn described only a new and different way to exploit the flaw. Regardless, the "heightened sense of public awareness"--as a Cisco spokesman described the Lynn kerfuffle--prodded the company to issue a more detailed security advisory late last month, explaining how IOS is vulnerable to denial-of-service attacks and possibly to a more dangerous remote exploit. Cisco also posted a list of the fixed versions of IOS that customers could adopt, as well as a work-around. Hopefully, Cisco shops are paying attention and Cisco learned something about the value of communicating openly with customers and the public.
'Premature' Findings
But if Cisco was willing to come clean, why did it raise such a stink about Lynn's Black Hat presentation? Cisco and ISS maintain that Lynn's research was "premature" and that they planned to present a more developed version of it at a later security conference. We'll see.
For his part, Lynn says he felt compelled to report the IOS vulnerability before it was exploited in attacks on the Internet, though he maintains he never revealed details that would abet an attacker.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
